Upgrade to commons-collections4 dependency

Question

Upgrade to commons-collections4 dependency

tflucker opened this issue 3 months ago · 2 comments

Currently the Artemis-Jakarta-Client dependencies include commons-collections/commons-collections/3.2.2. Would it be possible to update the code so that the commons-collections4/4.4 dependency is used instead? This is to address a security vulnerability and pass certain code scans successfully. Please reach out if additional information is required. Thank you!

Answer 1 · 2024-11-04T12:27:27.000Z

@tflucker I do not find any viable CVEs logged against commons-collections:commons-collections:3.2.2 can you please provide more information? They all rely on Java serialization and deseralization. This project has the aim of providing mechanisms for consuming WebServices and avoids RMI/CORBA etc.

Answer 2 · 2024-11-04T12:46:01.000Z

The commons-collections:3.2.2 dependency is a transitive dependency of a test dependency.
We cannot exclude this dependency without breaking the jms tests.